What's new in HCL AppScan® Enterprise
This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
New in HCL AppScan® Enterprise 10.10.0
- Gen AI-powered error page detection: Intelligent Finding Analytics (IFA) now leverages Azure OpenAI to enhance error page detection in Dynamic Application Security Testing (DAST). This integration uses Generative AI to confirm errors and handle edge cases, significantly improving accuracy, reducing false positives, and minimizing scan times.
- REST API enhancements: This release introduces several new and enhanced REST
API endpoints to improve automation and integration:
- GET /applications/{appId}/scans: Returns a list of all scans associated with an application ID, with advanced sorting options.
- POST /jobs/{jobId}/dastconfig/openapi/specification/process: Uploads an OpenAPI description file and extracts additional parameters to streamline file-based scan configurations.
- POST /jobs/{jobId}/dastconfig/openapi/configure: Configures a DAST job using an OpenAPI specification.
- GET /jobs/{jobId}/dastconfig/additionalParams: Retrieves the list of additional parameters present in the scant file of a DAST scan configuration.
-
GET /issues/v2 enhancement: A new
showFullValuesparameter allows API responses to display complete, non-truncated values for comments, location, and description fields. - GET /issues/{jobId} enhancement: This API now supports downloading security issue details directly as a PDF report and includes additional related CWEs in the response for a more comprehensive vulnerability context.
- Remediation details in compliance reports: Compliance reports now include ‘How to Fix’ information, providing actionable remediation guidance directly within the generated report.
- Large Language Model (LLM) issue import: AppScan Enterprise now supports the
import of security issues identified in Large Language Models (LLMs) from scans
conducted in AppScan Standard 10.10.0 or future versions.Note:AppScan Enterprise doesn't support LLM scan, even if you configure the scan in AppScan Standard and push it to AppScan Enterprise. The scan will run without failing, but it won't scan the LLM.
- FIPS-compliant encrypted traffic support: Support has been added for FIPS-compliant encrypted traffic files generated from both the AppScan Activity Recorder and Traffic Recorder.
- Enhanced security reporting (Monitor page): Suppose an application has both SAST and DAST issues. In that case, the issue counts (Fixed Issues, New Issues, Open Issues, Overdue Issues, Total Issues, and Work In Progress) in the generated security report are now based on the number of issues selected and imported into the specific DAST and SAST reports.
- New compliance reports:
- Updated compliance reports:
- International Standard - ISO 27001 Industry Standard Report
- International Standard - ISO 27002 Industry Standard Report
- NIST Special Publication 800-53 Industry Standard Report
- The Payment Card Industry Data Security Standard (PCI DSS) Regulatory Compliance Report
- [US] Healthcare Services (HIPAA) Regulatory Compliance Report
- The General Data Protection Regulation (GDPR) Regulatory Compliance Report
- System and platform support:
- Official support has been added for Microsoft Windows Server 2025
- Support has been added for Microsoft OLE DB Driver 18 for SQL Server (MSOLEDBSQL18)
IAST agent updates
The IAST agents have been upgraded to the latest versions:
- Java: 1.21.0
- .NET: 1.15.0
- Node.js: 1.13.0
- PHP: 1.2.0
APAR fix list
The following Authorized Program Analysis Reports (APARs) were fixed:
| APAR No. | Description |
|---|---|
| KB0123145 | Fixed an incorrect license file path in the Configuration Wizard. |
| KB0120549 | Fixed an issue where reports from the Monitor page generated slowly for applications with many issues. |
| KB0122105 | Fixed an issue in the Monitor View where issue details overlapped for applications with long text values. |
| KB0121711 | Fixed an issue where the Activity Log screen was blank on the Administration Page for the Korean language. |
| KB0111644 | Fixed an error message that appeared in the default settings wizard during AppScan Enterprise installation when LDAP credentials had insufficient permissions. |
| KB0094517 | Fixed an issue where the PCI report on the Scan tab didn't show compliance details when the language was set to Japanese. |
Fixes and security updates
New security rules in this release include:COOP- Missing or insecure Cross-Origin-Opener-Policy (COOP) headerCORP- Missing or insecure Cross-Origin-Resource-Policy (CORP) headerCOEP- Missing or insecure Cross-Origin-Embedder-Policy (COEP) headerattCSPAPI- Missing or insecure "frame-ancestors" directive in CSP (for API endpoints)attApacheOFBizRCECVE202445195- Apache OFBiz RCE for CVE-2024-45195attApacheOFBizRCECVE202445507- Apache OFBiz RCE for CVE-2024-45507attSpringFrameworkPathTraversalCVE202438816- Spring Framework Path Traversal CVE-2024-38816 and CVE-2024-38819attWordpressPiePluginAuthenticationBypassCVE202534077- Wordpress Pie Register Insufficient Authentication CVE-2025-34077attWordPressKubioPathTraversalCVE20252294- Wordpress Kubio AI Page Builder plugin Path Traversal CVE-2025-2294- The Vulnerable Component Database has been updated to version 1.8
This release's complete list of fixes, updates, and RFEs is listed here.
Changed in this release
- WebSphere® Application Server (WAS) Liberty Core has been upgraded to version 25.0.0.9.
- The Chromium browser engine has been upgraded to version 142.0.7444.59 to incorporate the latest security fixes.
- The Aspose library has been upgraded to version 25.4.
Removed in this release
- The following OpenAPI endpoints are obsoleted:
- POST /jobs/{jobId}/dastconfig/openapi/add
- POST /jobs/{jobId}/dastconfig/openapi/url/add
Upcoming changes
- The Developer Essentials and the Vital Few test policies are now obsolete and will be removed in future releases. We recommend using the suggested alternative test policies.